What is the difference in security between a VPN- and a SSL-connection?

  • I would like to design a client-server application where the server is placed on Internet. I assume that I could set up the client-server connection using VPN (is it using IPSec?) or using a SSL connection (possibly https). What are the differences between VPN/IPsec and SSL/https for securing a client server connection over Internet?

    more insight on your intended client base and the nature of your application would help you get a better answer and help us avoid going off on unrelated tangents :)

    For clear understanding of VPN: watch this video http://www.youtube.com/watch?v=KFODy-dHcU8

  • VPN means "Virtual Private Network". It is a generic concept which designates a part of a bigger network (e.g. the Internet at large) which is logically isolated from the bigger network through non-hardware means (that's what "virtual" means): it is not that we are using distinct cables and switches; rather, isolation is performed through use of cryptography.

    SSL (now known as TLS) is a technology which takes a bidirectional transport medium and provides a secured bidirectional medium. It requires the underlying transport medium to be "mostly reliable" (when not attacked, data bytes are transferred in due order, with no loss and no repetition). SSL provides confidentiality, integrity (active alterations are reliably detected), and some authentication (usually server authentication, possibly mutual client-server authentication if using certificates on both sides).

    So VPN and SSL are not from the same level. A VPN implementation requires some cryptography at some point. Some VPN implementations actually use SSL, resulting in a layered system: the VPN transfers IP packets (of the virtual network) by serializing them on a SSL connection, which itself uses TCP as a transport medium, which is built over IP packets (on the physical unprotected network). IPsec is another technology which is more deeply integrated in the packets, which suppresses some of those layers, and is thus a bit more efficient (less bandwidth overhead). On the other hand, IPsec must be managed quite deep within the operating system network code, while a SSL-based VPN only needs some way to hijack incoming and outgoing traffic; the rest can be down in user-level software.

    As I understand your question, you have an application where some machines must communicate over the Internet. You have some security requirements, and are thinking about either using SSL (over TCP over IP) or possibly HTTPS (which is HTTP-over-SSL-over-TCP-over-IP), or setting up a VPN between client and server and using "plain" TCP in that private network (the point of the VPN is that is gives you a secure network where you need not worry anymore about confidentiality). With SSL, your connection code must be aware of the security; from a programming point of view, you do not open a SSL connection as if it was "just a socket". Some libraries make it relatively simple, but still, you must manage security at application level. A VPN, on the other hand, is configured at operating system level, so the security is not between your application on the client and your application on the server, but between the client operating system and the server operating system: that's not the same security model, although in many situations the difference turns out not to be relevant.

    In practice, a VPN means that some configuration step is needed on the client operating system. It is quite invasive. Using two VPN-based applications on the same client may be problematic (security-wise, because the client then acts as a bridge which links together two VPN which should nominally be isolated from each other, and also in practice, because of collisions in address space). If the client is a customer, having him configure a VPN properly looks like an impossible task. However, a VPN means that applications need not be aware of security, so this makes it much easier to integrate third-party software within your application.

    To add to the above, given the fact that many applications do not properly implement SSL libraries, resulting in serious security compromises, it may be wise to consider using VPN to ensure you don't rely on each applications individual SSL implementation, rather on one that has been well audited (open-source VPN solutions like OpenVPN).

    To clarify, SSL happens at layer 7 in the OSI model - every application has to have its own implementation. (most) VPNs operate at the network layer (3) which means that everything that happens at higher layers is at least not nakedly exposed to the Big Bad Internet. It does not mean they're secure, that assumption can be dangerous.

    Unless Im wrong, from the practice point of view, one use VPN as a **private** network. Globally/Pratically, SSL is for public audience, VPN is aiming a private networking. *This is certainly too simplist. If it is, please dont blame, but explain.*

    @Strukt: you maintain the privacy of your home by closing the door. People, from the outside, see the surface of the closed door.

    @ThomasPornin yeah, it is *virtual* privacy. One sees the door, but does not know what's behind... SSL does the same, it is not door but pipes if you want. Brief, to me **SSL and VPN both encrypt traffic datas, but SSL allows anybody to get/post datas, while VPN deals datas only with the authorized clients.** Nope ?

    @Strukt: no. SSL is the door, VPN is the contents of the house. You don't get one _or_ the other; they are not to be opposed. SSL is a technology that ensures some security properties, which are a nice building block for a variety of usages, one of them being "a VPN". (I suppose that when you read "SSL" you think "Web site with `https://`, which is probably the source of the terminology confusion.)

    Thanks. That's why Im confusing. Thinking https. Btw I was sure that VPN encrypts data. When I use OpenVPN, there is a sublayer OpenSSL within. Well, with OpenSSL only, data are encrypted. With VPN they are *traffic'ed* only with known/authenticated clients. VPN = SSL + authentication *before* connecting = The key to enter the house + the key to "decrypt" the inside. While SSL is only a matter of encryption. ... still wrong ? // SSL is encryption, VPN is networking. And the virtual privacy is ensured by : SSL + authentication.

License under CC-BY-SA with attribution

Content dated before 6/26/2020 9:53 AM